Bug 1881245

Summary: iscsiadm crash when discovering many target portals at once
Product: Red Hat Enterprise Linux 7 Reporter: Chris Leech <cleech>
Component: iscsi-initiator-utilsAssignee: Chris Leech <cleech>
Status: CLOSED ERRATA QA Contact: Filip Suba <fsuba>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.9CC: fsuba, pvlasin, revers, storage-qe
Target Milestone: rcKeywords: EasyFix, Regression
Target Release: 7.9   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: iscsi-initiator-utils-6.2.0.874-20.el7_9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1881244 Environment:
Last Closed: 2020-12-15 11:09:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1881244    
Bug Blocks:    

Description Chris Leech 2020-09-21 23:34:14 UTC 
+++ This bug was initially created as a clone of Bug #1881244 +++

Description of problem:

When discovering many target portals in a single SendTargets discovery command, iscsiadm will crash due to a strcat buffer overflow.

Version-Release number of selected component (if applicable):

iscsi-initiator-utils > 6.2.0.878-0

How reproducible:

100%

Steps to Reproduce:

1. Configure an iSCSI target to report > 85 targets
   (you can just create a bunch of target names with targetcli, they don't need LUs and ACLs set)

2. iscsiadm -m discovery -t set -p <discovery portal>

Actual results:

iscsiadm will crash 

Expected results:

all targets discovered and node records created

Additional info:

This is a regression introduced with the new CHAP modes, a buffer in a struct that gets reused for each target discovered isn't reset and is appended to with the chap_algs config string with each pass until it overflows.

Reported upstream (https://github.com/open-iscsi/open-iscsi/issues/219) by a Fedora user.  Fix verified by that user, applied upstream, and to Fedora.

One line fix:
--- a/usr/idbm.c
+++ b/usr/idbm.c
@@ -169,6 +169,7 @@ static struct idbm *db;
 #define __recinfo_int_list(_key,_info,_rec,_name,_show,_tbl,_n,_mod) do { \
        _info[_n].type = TYPE_INT_LIST; \
        strlcpy(_info[_n].name, _key, NAME_MAXVAL); \
+       _info[_n].value[0] = '\0'; \
        for (unsigned long _i = 0; _i < ARRAY_LEN(_rec->_name); _i++) { \
                if (_rec->_name[_i] != (unsigned)~0) {                  \
                        for (unsigned long _j = 0; _j < ARRAY_LEN(_tbl); _j++) {        \
Comment 4 Chris Leech 2020-09-21 23:37:00 UTC 
This also applies to 7.9 iscsi-initator-utils >= 6.2.0-874.18
Comment 10 Filip Suba 2020-10-27 07:50:46 UTC 
Verified with iscsi-initiator-utils-6.2.0.874-20.el7_9. Regression testing passed.
Comment 16 errata-xmlrpc 2020-12-15 11:09:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (iscsi-initiator-utils bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5433